Internet users regularly register with websites, cloud applications, or other web-based programs (each hereinafter a “website”). The user's registration information is generally kept confidential and used for the purpose of allowing the registrant or user to enter the website through a login process, and access the services offered by the website.
Fundamental to every secure transaction is identity authentication of a user, whether individual or individual representing a business. Identity authentication is particularly important with Internet-based transactions where user identity cannot be verified by more traditional means such as visual inspection and verification of a government-issued photo identification card. Reliable authentication and identity verification of businesses and/or individuals that engage in Internet-based commerce or information exchange is therefore a business necessity. Despite these authentication requirements, fraud is still prevalent on the Internet and often Internet fraud-impostors or “fraudsters” register or login to websites with access to sensitive data using untraceable or false email addresses and/or phone numbers, or use other such scheming methods that compromise the traditional authentication processes currently in place for such websites. For example, a common exploit employed by fraudsters is called “account takeover” where a fraudster “tricks” or steals the login credentials (e.g., username and password) of a user, often via a piece of software that records a user's keystrokes (keylogger) or as a result of a security breach on a user's computer. These “stolen” login credentials then allow the fraudster access to the user's account. Often, the effect of such a breach can be devastating to website owners and users whose secure information may be accessed, or who may otherwise be defrauded as a result. The increased occurrence of fraud is especially concerning as more commerce and transactions move online and fraudster sophistication increases.
In addition to account takeover, fraudsters often attempt “bulk registration” of hundreds or thousands of accounts at one time. Current preventive solutions such as IP blocking, email address validation, the use of “captcha” forms, and the like to ensure that the user is an individual are often ineffective in preventing fraudulent bulk registrations from occurring. Once fraudsters have created these accounts, they can leverage them to commit further fraud. By creating many accounts at one time, a fraudster may spread out fraudulent activity in ways that make it harder to detect that fraudulent activity has occurred, enabling a greater amount and variety of fraud than would be possible with a single fraudulent account, along with making identification and removal of the fraudulent accounts exceedingly difficult. In addition, while the fraudulent accounts exist, they create an extra drain on the website's physical resources, as well as pose a significant risk to the website's brand, reputation, and legitimate users.
Concerned about the potential for fraud during Internet-based transactions, security researchers highly recommend the use of authentication methods that do not rely solely on traditional, single-control methods requiring only a username and password to gain access to a website or application. In fact, in its Supplement to Authentication in an Internet Banking Environment, the Federal Financial Intuitions Examination Council Agencies (“FFIEC”) acknowledged that there have been significant changes in security threats to Internet-based transactions, and expressed concern that the methods and controls traditionally in place have become less effective against the potential for malicious attacks that may compromise authentication and security. The FFIEC's report highly recommends use of a “layered” or “multi-factor” security for authentication and fraud prevention for Internet-based transactions. Accordingly, one such recommended “effective control” is the use of “two-factor authentication,” or a method that utilizes at least an additional authentication layer in addition to the initial username and password login, often through a different access device.
The types of two-factor authentication that currently exist are centered on a first layer process that utilizes predetermined information that the user or registrant is expected to know, often referred to as “something you know.” For example, predetermined information that the user might be expected to know might be a username and password, an identifier such as a social security number in conjunction with the answer to a secret question, or other unique identifier known to the user. The second layer of authentication, often referred to as “something you have,” is then based on a physical item that the registrant or user has possession of and that can be used for verification of the user or registrant's identity, e.g., a physical token, or the registrant or user's telephone, mobile device, or other such communication device. Additionally, the second layer of verification can instead be achieved with biometric identification, such as fingerprint or voice recognition, often referred to as “something you are.” Two or more of these second factors may be required to create a “multi-factor” authentication process, e.g., the user first authenticates with a username/password (something you know), and then is called on a communication device (something you have), and asked for a voiceprint (something you are). Unfortunately, due to the relative difficulty of incorporating a “something you are” component in addition to a “something you have” component versus the security gains from implementing such a solution, there has been limited adoption and proper utilization of multi-factor authentication measures even though security threats to Internet-based transactions continue to increase.
A recently-developed alternative to the traditional options outlined above is an additional authentication factor called behavioral biometrics. While behavioral biometrics are an offshoot of “something you are,” many in the authentication industry are beginning to refer to them as a different category entirely. Behavioral biometrics are sometimes referred to as “behaviometrics” or “something you do” due to their basis in behavioral vs. physiological characteristics. While behavioral biometrics may include such diverse characteristics as typing rhythm, speech patterns, or gait, typing rhythm (or “keystroke dynamics”) has typically been the focus of authentication mechanisms based on behavioral biometrics. Companies such as Deepnet Security and Intensity Analytics produce typing rhythm analysis products for authentication, however, they admit that many factors may affect the ability to properly analyze typing rhythm without error. Typing rhythm serves as an imperfect identifier of users for authentication because of the wide variance in behavior for even a single user, due to injury, fatigue, distraction, and even the everyday use of automated tools in a user's workflow. However, typing rhythm may serve as one of several characteristics, that in combination with traditional authentication measures, may help secure session-based interactions with websites—especially in situations where a user's username and password have been compromised, or the user session hijacked by a man in the middle or man in the browser attack. Session-based behavioral monitoring products currently in the market include Silver Tail Systems™, Authenware™, and Delfigo Security™, which monitor typing rhythm in conjunction with click activity and other session based behavioral biometrics.
Overall, the examples herein of some prior or related systems and their associated limitations are intended to be illustrative and not exclusive. Other limitations of existing or prior systems will become apparent to those of skill in the art upon reading the following Detailed Description.